Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The audit, which began Aug. 16, was funded by the Open Source Technology Improvement Fund (OSTIF) and executed by two researchers at Quarkslab.

The examination was carried out against VeraCrypt 1.18; VeraCrypt is a fork of TrueCrypt, the once-popular and de facto standard for free FDE, which was abandoned in 2014 under mysterious circumstances as the project’s maintainers said the code was no longer safe to use. TrueCrypt was soon thereafter audited by the Open Crypto Audit Project and a number of vulnerabilities were uncovered, but no backdoors as was feared in the aftermath of the initial Snowden leaks.

Part of the VeraCrypt audit was to assure that any vulnerabilities identified in the OCAP audit of TrueCrypt were patched in VeraCrypt. The remainder of the assessment was a look into the VeraCrypt’s existing code and new features, including UEFI support, support for non-Western crypto algorithms, and more.

The audit confirmed that all of the vulnerabilities found in the OCAP audit have been fixed in VeraCrypt except for one issue labeled as “minor.” This includes a pair of privilege escalation issues disclosed by Google Project Zero researcher James Forshaw.

Forshaw disclosed the bugs, both rated critical, after the conclusion of the OCAP audit; one of the vulnerabilities found in the TrueCrypt driver was more severe. VeraCrypt developer Mounir Idrassi told Threatpost a year ago that the driver does not properly validate the drive letter symbolic link used to mount volumes. An attacker can gain full administrative privileges by abusing this flaw, Idrassi said.

Quarkslab said in a blog post announcing the results that vulnerabilities requiring substantial code work or re-architecting have also not been fixed.

“These include the AES implementation, which is still susceptible to cache-timing attacks, and the issues in TC_IOCTL_OPEN_TEST that need to change the application behavior,” Quarkslab said, adding also that vulnerabilities leading to TrueCrypt incompatibility related to crypto mechanisms have also not yet been addressed. Those include an assessment that keyfile mixing in VeraCrypt is not cryptographically sound, and the discovery of unauthenticated ciphertext in volume headers that could lead to attackers forging them with relatively small queries.

As for new issues, three rang out as the most crucial, Quarkslab said.

VeraCrypt makes use of the GOST 28147-89 symmetric 64-bit block cipher, a weaker cipher than others used in the product.

According to Derek Zimmer, OSTIF president, GOST was added in VeraCrypt 1.17; the algorithm is a Soviet developed alternative to DES.

“The implementation in VeraCrypt was designed to strengthen the algorithm to a usable state for modern crypto, but fell short,” Zimmer said in a Reddit AMA yesterday.

GOST 28147-89 is expected to be removed in version 1.19, Quarkslab said.

“The XTS code has not been adapted for such ciphers, so VeraCrypt emulates a 128-bit block cipher by encrypting two 64-bit blocks in CBC mode with a zero IV, which in itself raises several issues,” Quarkslab said. “Furthermore, to reach the same level of security as its 128-bit counterpart, the amount of data to be processed should be no more than 512 bytes which is too small to be considered for a data at rest encryption system.”

The audit also concluded that VeraCrypt’s compression libraries are either outdated or poorly written, and must be replaced, a problem that could be leveraged for code execution. The results cite VeraCrypt’s use of older versions of zlib as an issue and said they will be replaced or rewritten in 1.19.

Finally, the audit revealed that if the system is encrypted, an attacker could be able to retrieve the boot password in UEFI mode, or its length in legacy mode.

“I would recommend version 1.19 containing the fixes, and be careful to read the documentation,” Zimmer said. “As long as you are following the documentation for known issues and using it as advised, I believe it is one of the best FDE systems out there.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.